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DETAILED ACTION 

1. This action is in response to the communication filed on March 06, 2008. Claims 1-6, 8- 
77 and 1 10-122 along with new claims 123-132 are pending. 

Information Disclosure Statement 

2. An initialed and dated copy of Applicant's IDS form 1449 is attached to the Office action. 

Response to Arguments 

3. Applicant's arguments with respect to the rejection(s) of claim(s) 1-6, 8-42, 125-126 
have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. 
Claims 48, 118, and 124, are objected to as being dependent upon a rejected base claim, but 
would be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 

As per Claims 43-47, 49-77, 110-1 17, 1 19-123 and 127-132, upon further consideration, 
a new ground(s) of rejection is made in view of McCreight et al. (Patent 6,792,545). 

Allowable Subject Matter 

4. Claims 1 - 6, 8 - 42 and 125 - 126 are allowed. 

5. Claims 48, 118, and 124, are objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 

Claim Rejections - 35 USC §102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
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only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

6. Claims 43-47, 49-77, 110-117, 119-123 and 127-132 are rejected under 35 
U.S.C. 102(e) as being anticipated by McCreight et al. (Patent 6,792,545). 

7. As per Claim 43, McCreight teaches "a target computing device; a forensic device 
coupled to the target computing device via a communication link; a client device; and a user 
interface module to present a user interface for the forensic device that is remotely accessible 
by the client device, wherein the forensic device receives input via the user interface that 
identifies computer evidence to acquire from a target computing device and, in response, 
acquires the computer evidence from the target computing device, stores the computer 
evidence, and presents the computer evidence to the remote user for analysis via the user 
interface" (Summary and Fig. 2 and corresponding text). McCreight discloses investigating a 
target machine via collecting from files, performs searches including file signature, file 
extension, paths and time/date stamps (Column 7 line 48 - Column 8 line 30). 

8. As per Claims 71 and 1 1 3McCreight teaches "receiving input from a remote user that 
identifies computer evidence to be acquired from a target computing device; determining an 
order in which to perform acquisition operations to acquire the computer evidence from the 
target computing device with reduced impact on other data stored on the target computing 
device, wherein acquisition operations to acquire at least one of an log file and communication 
statistics occur in the order prior to any other acquisition operations; and communicating 
commands to initiate the acquisition operations on the target computing device in accordance 
with the determined order" (Summary and Fig. 2 and corresponding text). McCreight discloses 
investigating a target machine via collecting from files, performs searches including file 
signature, file extension, paths and time/date stamps (Column 7 line 48 - Column 8 line 30). 
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9. As per Claims 110, 127, 1 29 and 131, McCreight teaches "A forensic analysis device 
that is adapted to operate as an intermediate device between a target computing device and a 
client device associated with a remote forensic investigator, wherein the analysis device 
comprises an acquisition module to acquire state information from the target computing device 
and store the state information on the forensic device while the target device remains active" 
(Column 6 line 58 - Column 7 line 34). 

10. As per Claims 44, 114 and 123, McCreight teaches "wherein presenting the user 
interface for the forensic device through which the remote user views and analyzes the 
computer evidence acquired from the target computing device comprises presenting the user 
interface for the forensic device through which the remote user views and analyzes the 
computer evidence acquired from the target computing device on-line" (Column 7 line 48 - 
Column 8 line 30). 

11. As per Claims 45-47, 49, 76-77, 111-112 and115-117, McCreight teaches "acquiring 
additional computer evidence while the remote user views and analyzes the previously acquired 
computer evidence" and "wherein receiving input from the remote user that identifies computer 
evidence to acquire comprises receiving input from the remote user that identifies at least one 
acquisition operation to perform, and further wherein acquiring the computer evidence from the 
target computing device comprises performing the acquisition operation to acquire the computer 
evidence" (Column 5 lines 38 - 52). 

12. As per Claims 50,119-120, McCreight teaches "automatically selecting at least one of a 
plurality of access methods via which to perform the acquisition operation based on the target 
computing device and the type of computer evidence to acquire; and communicating commands 
associated with the acquisition operation to the target computing device via the selected 
acquisition methods" and "wherein the access methods include at least one of Windows 
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Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), 
Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer 
Protocol (FTP), and Hypertext Transfer Protocol (HTTP)" (Column 5 line 38 - 67). 

13. As per Claims 51-57, McCreight teaches "receiving case information and target device 
information from a user to define a new inquiry; creating a new inquiry based on the received 
information; and associating the new inquiry with a case, wherein the target computing device 
information includes at least one of a target computing device host name, IP address, operating 
system, access methods and password" (Fig. 10 and associated text). 

14. As per Claims 58-59, 60 and 121-122, McCreight teaches "normalizing the acquired 
computer evidence to a common format; and storing the normalized computer evidence, 
wherein normalizing the acquired computer evidence to a common format comprises at least 
one of converting timestamp data from a local time zone of the target computing device to a 
standard time zone, converting data having host names and IP addresses to all host names, 
converting data having host names and IP addresses to all IP addresses, and normalizing the 
clock of the target computing device to that of the forensic device" (Column 16 lines 23-39). 

15. As per Claim 60, McCreight teaches "performing a cryptographic hash on the computer 
evidence; and storing the resulting hash value" (Column 16 lines 23-39). 

16. As per Claim 61, McCreight teaches "maintaining an audit log of transactions performed 
by the forensic device, wherein maintaining the audit log comprises at least one of tracking 
computer evidence downloaded from the target computing device, browsing of the computer 
evidence by the remote user, and analyses performed on the computer evidence, and wherein 
the audit log comprises a timestamp corresponding to each transaction, an investigator identifier 
corresponding to the investigator performing each transaction, and a description of each 
transaction" (Column 6 lines 1-8). 
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17. As per Claims 62-66, McCreight teaches "wherein the computer evidence comprises at 
least one log file, the method further comprising: receiving input from the user to analyze the log 
file for tampering; analyzing the log file to detect log file tampering; and displaying to the user 
the results of the analysis, wherein detecting absent periodic events within the log file 
comprises: searching for the log file for the periodic event identifier; computing the amount of 
time that elapsed between each of the periodic event identifiers; and comparing the period of 
the event with the computed elapsed times to detect absent periodic events" (Background and 
Column 8 lines 23-37). 

18. As per Claims 67, 128, 130 and 132, McCreight teaches "wherein acquiring the 
computer evidence from the target computing device comprises acquiring an image of at least 
one of a disk attached to the target computing device and a memory of the target computing 
device, and further comprising examining the acquired image to identify at least one of files, 
process or operating system data structures, boot information, deleted files or directories, and 
data hidden in unallocated space" (Background and Column 8 lines 23-37). 

19. As per Claims 68-70 McCreight teaches "wherein the target computing device comprises 
one of a personal computer, a handheld computer, a laptop, a workstation, a router, a gateway 
device, a firewall device, a web server, a file server, a database server, a mail server, a print 
server, a network-enabled personal digital assistant, and a network-enabled phone" (Fig. 6B 
and associated text). 

20. As per Claims 72-75, McCreight teaches "wherein communicating commands 
associated with the acquisition operations to the target computing device comprises: 
communicating commands associated with an acquisition operation to acquire communication 
statistics to the target computing device; communicating commands associated with an 
acquisition operation to acquire log file to the target computing device after the commands 
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associated with the acquisition operation to acquire the communication statistics, further 
comprising communicating commands associated with an acquisition operation to acquire 
general system information to the target computing device after the commands associated with 
the acquisition operation to acquire the log file" (Fig. 5 and associated text). 

Conclusion 

Examiner's Note: Examiner has cited particular columns and line numbers in the 
references as applied to the claims above for the convenience of the applicant. Although the 
specified citations are representative of the disclosing in the art and are applied to the specific 
limitations within the individual claim, other passages and figures may apply as well. It is 
respectfully requested from the applicant, in preparing the responses, to fully consider the 
references in entirety as potentially disclosing all or part of the claimed invention, as well as the 
context of the passage as taught by the prior art or disclosed by the examiner. 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. See PTO Form 892. 

Applicant is urged to consider the references. However, the references should be 
evaluated by what they suggest to one versed in the art, rather than by their specific disclosure. 
If applicants are aware of any better prior art than those are cited, they are required to bring the 
prior art to the attention of the examiner. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Pramila Parthasarathy whose telephone number is 571-272-3866. The 
examiner can normally be reached on 8:00a.m. To 5:00p.m.. If attempts to reach the examiner 
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by telephone are unsuccessful, the examiner's supervisor, Nasser Moazzami can be reached 
on 571-232-4195. Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 703-305-3900. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR only. For more information about the 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

/Pramila Parthasarathy/ 
Examiner, Art Unit 2136 
June 8, 2008 



